diff --git a/ad-auth/defaults/main.yml b/ad-auth/defaults/main.yml
index c8661831f9b36687ee8added0afcc16cead06405..d404727a3b8383869f8bea03beaa2e3b7c0f047a 100644
--- a/ad-auth/defaults/main.yml
+++ b/ad-auth/defaults/main.yml
@@ -3,3 +3,7 @@
 ad_admin_group: admin
 ad_admin_password: samba-admin
 ad_admin_password_content: "{{ lookup('passwordstore', ad_admin_password) }}"
+# Set this to force a specific DC for the renew_krb5 cron job
+# ad_auth_renew_force_dc: dc.example.org
+# Sync client credentials with Samba (i.e., winbindd)
+ad_auth_sync_samba: false
diff --git a/ad-auth/templates/renew_krb5.j2 b/ad-auth/templates/renew_krb5.j2
index 903f8b0a544045bd75187bbb29b4baa1c0fbdc13..c1cd9851f1905318dc61b522da876984c6d59618 100644
--- a/ad-auth/templates/renew_krb5.j2
+++ b/ad-auth/templates/renew_krb5.j2
@@ -1,3 +1,9 @@
 #!/bin/bash
-/usr/sbin/adcli update -D {{ domain }}
-
+/usr/sbin/adcli update \
+{% if ad_auth_renew_force_dc is defined %}
+	-S {{ ad_auth_renew_force_dc }} \
+{% endif %}
+{% if ad_auth_sync_samba %}
+	--add-samba-data \
+{% endif %}
+	-D {{ domain }}